net/bridge/netfilter/nf_tables_bridge.c

   1 /*
   2  * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
   3  * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Development of this code funded by Astaro AG (http://www.astaro.com/)
  10  */
  11
  12 #include <linux/init.h>
  13 #include <linux/module.h>
  14 #include <linux/netfilter_bridge.h>
  15 #include <net/netfilter/nf_tables.h>
  16 #include <linux/ip.h>
  17 #include <linux/ipv6.h>
  18 #include <net/netfilter/nf_tables_ipv4.h>
  19 #include <net/netfilter/nf_tables_ipv6.h>
  20
  21 static unsigned int
  22 nft_do_chain_bridge(void *priv,
  23                     struct sk_buff *skb,
  24                     const struct nf_hook_state *state)
  25 {
  26         struct nft_pktinfo pkt;
  27
  28         switch (eth_hdr(skb)->h_proto) {
  29         case htons(ETH_P_IP):
  30                 nft_set_pktinfo_ipv4_validate(&pkt, skb, state);
  31                 break;
  32         case htons(ETH_P_IPV6):
  33                 nft_set_pktinfo_ipv6_validate(&pkt, skb, state);
  34                 break;
  35         default:
  36                 nft_set_pktinfo_unspec(&pkt, skb, state);
  37                 break;
  38         }
  39
  40         return nft_do_chain(&pkt, priv);
  41 }
  42
  43 static struct nft_af_info nft_af_bridge __read_mostly = {
  44         .family         = NFPROTO_BRIDGE,
  45         .nhooks         = NF_BR_NUMHOOKS,
  46         .owner          = THIS_MODULE,
  47         .nops           = 1,
  48         .hooks          = {
  49                 [NF_BR_PRE_ROUTING]     = nft_do_chain_bridge,
  50                 [NF_BR_LOCAL_IN]        = nft_do_chain_bridge,
  51                 [NF_BR_FORWARD]         = nft_do_chain_bridge,
  52                 [NF_BR_LOCAL_OUT]       = nft_do_chain_bridge,
  53                 [NF_BR_POST_ROUTING]    = nft_do_chain_bridge,
  54         },
  55 };
  56
  57 static int nf_tables_bridge_init_net(struct net *net)
  58 {
  59         net->nft.bridge = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
  60         if (net->nft.bridge == NULL)
  61                 return -ENOMEM;
  62
  63         memcpy(net->nft.bridge, &nft_af_bridge, sizeof(nft_af_bridge));
  64
  65         if (nft_register_afinfo(net, net->nft.bridge) < 0)
  66                 goto err;
  67
  68         return 0;
  69 err:
  70         kfree(net->nft.bridge);
  71         return -ENOMEM;
  72 }
  73
  74 static void nf_tables_bridge_exit_net(struct net *net)
  75 {
  76         nft_unregister_afinfo(net, net->nft.bridge);
  77         kfree(net->nft.bridge);
  78 }
  79
  80 static struct pernet_operations nf_tables_bridge_net_ops = {
  81         .init   = nf_tables_bridge_init_net,
  82         .exit   = nf_tables_bridge_exit_net,
  83 };
  84
  85 static const struct nf_chain_type filter_bridge = {
  86         .name           = "filter",
  87         .type           = NFT_CHAIN_T_DEFAULT,
  88         .family         = NFPROTO_BRIDGE,
  89         .owner          = THIS_MODULE,
  90         .hook_mask      = (1 << NF_BR_PRE_ROUTING) |
  91                           (1 << NF_BR_LOCAL_IN) |
  92                           (1 << NF_BR_FORWARD) |
  93                           (1 << NF_BR_LOCAL_OUT) |
  94                           (1 << NF_BR_POST_ROUTING),
  95 };
  96
  97 static void nf_br_saveroute(const struct sk_buff *skb,
  98                             struct nf_queue_entry *entry)
  99 {
 100 }
 101
 102 static int nf_br_reroute(struct net *net, struct sk_buff *skb,
 103                          const struct nf_queue_entry *entry)
 104 {
 105         return 0;
 106 }
 107
 108 static __sum16 nf_br_checksum(struct sk_buff *skb, unsigned int hook,
 109                               unsigned int dataoff, u_int8_t protocol)
 110 {
 111         return 0;
 112 }
 113
 114 static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
 115                                       unsigned int dataoff, unsigned int len,
 116                                       u_int8_t protocol)
 117 {
 118         return 0;
 119 }
 120
 121 static int nf_br_route(struct net *net, struct dst_entry **dst,
 122                        struct flowi *fl, bool strict __always_unused)
 123 {
 124         return 0;
 125 }
 126
 127 static const struct nf_afinfo nf_br_afinfo = {
 128         .family                 = AF_BRIDGE,
 129         .checksum               = nf_br_checksum,
 130         .checksum_partial       = nf_br_checksum_partial,
 131         .route                  = nf_br_route,
 132         .saveroute              = nf_br_saveroute,
 133         .reroute                = nf_br_reroute,
 134         .route_key_size         = 0,
 135 };
 136
 137 static int __init nf_tables_bridge_init(void)
 138 {
 139         int ret;
 140
 141         nf_register_afinfo(&nf_br_afinfo);
 142         ret = nft_register_chain_type(&filter_bridge);
 143         if (ret < 0)
 144                 goto err1;
 145
 146         ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
 147         if (ret < 0)
 148                 goto err2;
 149
 150         return ret;
 151
 152 err2:
 153         nft_unregister_chain_type(&filter_bridge);
 154 err1:
 155         nf_unregister_afinfo(&nf_br_afinfo);
 156         return ret;
 157 }
 158
 159 static void __exit nf_tables_bridge_exit(void)
 160 {
 161         unregister_pernet_subsys(&nf_tables_bridge_net_ops);
 162         nft_unregister_chain_type(&filter_bridge);
 163         nf_unregister_afinfo(&nf_br_afinfo);
 164 }
 165
 166 module_init(nf_tables_bridge_init);
 167 module_exit(nf_tables_bridge_exit);
 168
 169 MODULE_LICENSE("GPL");
 170 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 171 MODULE_ALIAS_NFT_FAMILY(AF_BRIDGE);